Uncertain State Of Cyber War

Just what does "cyber warfare" mean? We're still figuring out tactics and capabilities.

Military agencies worldwide are right in the middle of figuring out the tactics and capabilities that will be critical in any future cyber war. So far, any conflicts are playing out behind the scenes, with only the rare accusation or public request for technology giving a glimpse into what offensive attacks between countries might look like.

Even what counts as "cyber warfare" remains an open question. Many cite as the first-known example of such operations the distributed denial-of-service (DDoS) takedowns and hijacking of government and business websites in the country of Georgia in 2008, at the same time as Russian military operations on the ground.

But there's scant proof that the Russian government launched or sponsored online attacks against Georgia, according to many security experts, including Robert David Graham, CEO of Errata Security. "There's no evidence the cyber attacks were by the Russian government, or that they were anything more than normal 'citizen hacktivism,'" he said in a blog post. It's notable that this supposed first-ever cyber war served no clear military purpose. Attackers compromised informational government websites, not critical infrastructure systems or military networks.

To be fair, even the would-be practitioners of cyber warfare -- namely, the U.S. military -- are themselves soliciting input on what offensive computer system attacks might look like, either on their own or in conjunction with physical operations and kinetic attacks.

Last year, for example, the Defense Advanced Research Projects Agency (issued a call to tech vendors for "cyberspace warfare operations" capabilities, as part of what Darpa dubs Plan X. Darpa seeks a broad range of capabilities, from a scripted counterresponse to a cyber attack to IT infrastructure that could be hardened to withstand attacks.

Similarly, the Air Force Life Cycle Management Center last year called on contractors to submit concept papers for "cyberspace warfare operations" capabilities, including "cyberspace warfare attack" and "cyberspace warfare support."

Capabilities on the Air Force wish list include "employing unique characteristics resulting in the adversary entering conflicts in a degraded state." In other words, why blow up an enemy's tank if you can instead somehow infect and kill the tank's electrical system?

Who else is bolstering their cyber war capabilities? Iran is a strong candidate, and in April 2012, the VP of the American Foreign Policy Council, Ilan Berman, told a U.S. House committee that Iran has been boosting its cyber warfare resources in the wake of online attacks against the country. The attacks include Stuxnet, malware blamed in 2010 for trying to attack power plant infrastructure. U.S. officials have accused the Iranian government of sponsoring DDoS attacks against U.S. banks. China has reportedly mobilized its own cyber army, and Russia last year launched a recruitment drive to find the country's best hacking minds, seeking people versed in "methods and means of bypassing antivirus software, firewalls, as well as in security tools of operating systems," the newspaper Pravda reported.

But while governments don't face the same legal problems that companies do when considering offensive attacks, they do face the same major intelligence challenge: accurately tracing an attack's true origin, a process known as attribution. While small-time cybercriminals may leave tracks, government-backed professionals will go to great lengths to hide what they're doing -- or perhaps, pin blame on another enemy.

"Uncertain," "open question," "scant proof" are the words used here to describe cyber war in these early days. That's unlikely to change anytime soon -- the players and their motives, techniques, and outcomes will remain fuzzy. But it's clear that the US military, and no doubt other national defense agencies, are shifting focus from cyber defense to offensive capabilities. Some say the threat is extreme -- Leon Panetta warned of a "cyber Pearl Harbor" -- while others say such talk is overblown. I'm in the camp that believes the threat is real. Good to know that DARPA has Plan X. Hopefully the Pentagon has Plan A and Plan B too.

While it is unlikely that the Russian Government directly perpetrated the Georgia cyber attacks, I believe that there was a level of state involvement (with Estonia too, but we'll leave that to one side). The timing of the main thrust of the cyber attacks coincided with the advance of Russia's force that had massed on the northern border of South Ossetia. The cyber attacks were in concert with the ground force. The much talked about stopgeorgia.ru that is oft-pointed to as evidence that nationalistic hackers perpetrated the attacks without government direction was not set up until the following day. The site was obviously not necessary for the coordinated cyber attack that occurred alongside the ground invasion.

The other side of this is the strategic. The article described the cyber campaign as serving "no clear military purpose". That isn't the case. The Russian information campaign was advanced - winning the war of public (and world) opinion was important. They wanted to paint Saakashvili as a bellicose warmonger. Russia's information campaign was important - the military flew 50 journalists to South Ossetia shortly before war broke out to cover the coming conflict from the Russian perspective. On the other hand, journalists in Georgia were unable to share their side of the conflict effectively. Some foreign news websites were blocked and the cyber campaign led to a difficulty in communicating the Georgian message. In this way, the cyber campaign fit into a broader Russian info-war campaign. That was the strategic value.

I'd recommend the US Cyber Consequences Unit's report on the conflict as further reading on the topic for anyone interested.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.